On Thursday, Ireland’s Data Protection Commission (DPC) fined Meta’s WhatsApp a new €5.5 million for violating data protection laws when processing users’ personal data.
As a result of the ruling, the platform’s Terms of Service have been updated, requiring users to agree to the new terms in preparation for the General Data Protection Regulation (GDPR) in May 2018.
The complaint, filed by privacy nonprofit NOYB, alleged that WhatsApp violated its rules by forcing users to “agree to the processing of their personal information to improve and protect the service.”
In a statement, the DPC said, “WhatsApp Ireland is not permitted to rely on contractual legal grounds to provide service improvements and security .” He added that it violates the GDPR.
In addition to the fine, the messaging app was also ordered to comply with operations within six months. It’s worth noting that Meta has its European headquarters in Dublin.
However, the DPC says it has no plans to investigate whether WhatsApp processes user metadata for advertising, which it says is ” open-ended and speculative.” In response, NOYB criticized the agency for refusing to respond.
“WhatsApp says it’s encrypted, but that only applies to chat content, not metadata, ” said NOYB’s Max Schrems. “WhatsApp still knows who and when you chat with most often. This gives Meta a very good understanding of the social fabric around you.”
“Meta knows this information to serve targeted ads that our friends are already interested in,” added Schrems. Despite 4.5 years of investigation, the DPC now appears to simply refuse to rule on the matter.
WhatsApp received particular backlash in early 2021 when it announced a similar update to its privacy policy requiring users to accept the changes in order to continue using the service, with the European Commission ruling that the company would “clearly” inform the consumer about its business model.
WhatsApp will indicate how it plans to notify future updates to its Terms of Service so that consumers can easily understand the impact of such updates.
Additionally, WhatsApp was previously under investigation for questionable data-sharing practices around targeted advertising with parent company Meta (then Facebook). The EU has fined the social media giant €110 million for “providing false or misleading information” during a merger investigation following its 2014 acquisition of WhatsApp.
The latest fine comes two weeks after the DPC fined Meta €390 million for processing user data to serve personalized ads on Facebook and Instagram, and for behavioral advertising. We gave the company three months to establish a valid legal basis for processing personal data.
According to NOYB, the European Data Protection Board (EDPB) ignored the revenue generated by violating GDPR when calculating its fine, and that Meta was saved almost €4 billion by DPC’s maneuver.